Despite the recent introduction of version 3 of the Payment Card Industry Security Standards Council Data Security Standard (PCI DSS), in too many scenarios ignorance, complacency and corner-cutting remain the major contributors to card data theft. Yet, any organisation that is sceptical of PCI DSS needs only look at the ongoing security breaches and targets by criminals on cardholder data. Indeed, latest figures from the Nilson Report show that global card losses in 2012 reached $11.27 billion, up 14.6% over the prior year. And the risk associated with non-compliance – fines, brand damage and loss of consumer confidence – cannot be underestimated.
However, compliance does not need to be complicated. Fashion apparel retailer Jack Wills is one example of an organisation who has adopted a methodology and culture of continuous real-time security validation, and in doing so has transformed the operation of security best practices into a straightforward and inexpensive exercise, ensuring PCI DSS compliance and card data security for its customers.
The multi-channel ‘Famously British’ fashion apparel retailer, Jack Wills sells its products via bricks-and-mortar stores, its website and mail order services in an industry where consumers’ payment card security is a vital component of business IT strategy and confidence. In 2011, Jack Wills’ growing sales success meant that the organisation reached the critical milestone of processing over 1 million Mastercard or Visa card payment transactions annually, making it a Level 2 merchant and therefore subject to strict PCI DSS validation requirements, including an annual Report on Compliance (ROC). This prompted the retailer to seek a data security provider to guarantee its compliance.
Samir Butt, IT infrastructure analyst, Jack Wills, comments, “We have to ensure that the card processing environment that Jack Wills provides is secure and compliant across all our sales platforms. When the volume of our transactions increased, the level of reporting requirements increased, and we decided to look for a provider with a specialist solution for PCI DSS compliance.
“We selected New Net Technologies Change Tracker and Log tracker solutions because they were designed at the core as PCI DSS solutions; File Integrity Monitoring is one of the key PCI DSS requirements and we knew that the NNT technology was ahead of the curve and that it would furthermore evolve as the PCI DSS itself evolved.”
New Net Technologies (NNT) Change Tracker provides a cross-platform File Integrity Monitoring capability, which can govern security settings for all servers, EPoS tills and network devices and constantly monitors for any changes.
Samir explains, “We have a consistent build of IT infrastructure across the organisation that ensures it meets the required security standard. Any risk of security being compromised would almost certainly come in the form of a malicious viral attack or from a hacker trying to compromise particular environments. NNT enables us to capture a configuration snapshot and empowers us with the ability to remotely monitor and be alerted to any changes to the infrastructure and the devices on it. And any changes that we’re not aware of will be alerted immediately, so we can see where they originated, what they were and identify what the intention of those changes may be.”
A further requirement of the PCI DSS, the annual ROC, means that Jack Wills must have the functionality to keep a year’s worth of security logs that are generated from any device within its card processing environment. The NNT Log Tracker solution provides this functionality.
Samir explains, “Log Tracker allows us to capture the year’s security logs from all of the different machines that we use throughout our infrastructure. It allows us to search through these logs for unauthorised access, unauthorised changes, or changes that are authorised but have not been actioned correctly.”
And, although the primary driver behind the implementation of the NNT solutions was to achieve PCI DSS compliance and ensure card security, Jack Wills has noted further benefits.
Samir comments, “We have already seen a plethora of benefits since implementing the New Net Technologies solutions earlier this year. In addition to being 100% PCI DSS compliant, we are now able to fully monitor devices from a security standpoint, eliminating any weaknesses within our environment. Previously we did not have a monitoring solution in place and from that standpoint alone it’s been a blessing.”
Mark Kedgley, CIO, New Net Technologies, comments, “The PCI DSS is pretty demanding for good reason, requiring organisations to implement and adapt security processes and procedures to reflect the changing threat landscape. We are pleased to be working with such an iconic British brand to ensure that they can detect and protect against the inherent security vulnerabilities that exist within the IT infrastructure and ensure PCI DSS compliance.”
Samir concludes, “We can’t fault our relationship with New Net Technologies. It was clear from the moment we met with them that they are passionate about what they do, they are very knowledgeable and are able to answer all of our questions. This is something that we haven’t experienced with other vendors – there’s always been a knowledge overlap or missing holes.
“The team were keen to accommodate us and saw us working together as a journey, it wasn’t just about selling to us and giving us a certain package, with them it was about an on-going relationship and we continue to work with them in terms of consultancy support. It is thanks to their dedication that we are now also fully compliant with the latest PCI DSS changes. And, as we grow moving forward and hopefully in time achieve level 1 merchant status, the culture of continuous real-time security validation and the operation of security best practices is something that NNT has instilled that we will continue to carry with us.”
About New Net Technologies
New Net Technologies is a global provider of data security and compliance solutions. We are firmly focused on helping organizations protect their sensitive data against security threats and network breaches in the most efficient and cost effective manner.
New Net Technologies’ easy to use security monitoring and change detection software combines Device Hardening, SIEM, CCM and FIM in one integrated solution, making it straightforward and affordable for organizations of any size to ensure their IT systems remain secure, malware-proof and compliant with the corporate build-standard at all times.
New Net Technologies will safeguard your systems and data, freeing you to focus on delivering your corporate goals.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.